Neal:
On Sat, Jul 27, 2002 at 04:01:09PM -0500, Neal Hamilton wrote:
> I cant find any documentation on what would be a starting point for cpu/mem
> requirements. The machines spare machines i have rummaged up for this
> project are the following:
One of those sorts of questions that mainly get answered "It
depends..."
The general snort answer:
1) how many, and what sort of rules will you be running? "Fewer" is
better, but what's "fewer"...
2) what kind of logging will you be doing? -b binary logging is by
far fastest; logging to a console is slow.
3) what else is running on the snort host? Database; web server; etc
etc..?
> 1. The sensor that will be running snort (266mhz pent2 with 396meg ram).
> The sensor is on a ipf/openbsd bridge with 3 interfaces. 2 of the
> interfaces will be in bridge mode with no ip address. Of the 2 stealth
> interfaces only one, the one connected to the cable modem, will be running
> as a snort sensor and will have no firewall rules associated with it as i
> want to see everything and filtering would make the snort sensor usless.
> The other stealth interface will be connected to the nat router from my lan
> and will not be a sensor but will have some filters applied to it.
> Is the above acceptable for a cable modem 10/100 network?
I'd think, absolutely, but see: 1), 2), and 3), above.
I'm running snort on a firewall/router, a Pentium 150 classic with
96mb RAM out of a modem, for a 10/100 LAN with four other boxes back
behind, and snort never breaks a sweat.
I *am* binary logging, and logging to syslog, and I'm also alerting to
a MySQL database off on another host..
I'm running snort against most all of the stock rules, and maybe an
additional 75 more custom rules that essentially alert or log
*everything*
My snort host is also running a caching-only nameserver, tcpdump on
two interfaces, xntpd, emacs, but *not* X -- it's CLI only..
> 2. The PureSecure Console running mysql and apache. note: server will not
> be running snort, the main sensor is the box mentioned above. The machine i
> have picked up for this is a (500mhz amd with 256 megs of pc-100 ram and a
> 80gig ata100 hd.) is this enough power for currently one sensor and maybe
> another latter?
I'm running ACID/MySQL on an AMD K6-2 500, 256mb RAM, that's running
a lot of other stuff, and it never breaks a sweat, either. OS = RHL 7.2
> The OS i have chosen for the sensor (bridge) is OpenBSD 3.1.
> The OS i have chosen for the Mysql database and apache server is Redhat
> linux 7.2, because there will be another app running on this box that only
> runs on rdh linux...so i have to use it. The app does not use much
> cpu/memory sometime i cant even tell its running because it has such a
> small foot print.
>> Any advice, help, guidance would be appreciated.
>> Have a great day.
>> Thanks,
> Neal Hamilton
Best wishes,
- John
--
Why, yes, I talk to birds. I speak fluent finch.
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5